From 09c83241f63e56a497cb80be05fc70900e39d1f1 Mon Sep 17 00:00:00 2001
From: maho0638 <104829390+maho0638@users.noreply.github.com>
Date: Fri, 22 May 2026 15:47:08 +0300
Subject: [PATCH] fix(authenticate-users): secure SIWE verification with domain
 validation

Replaced insecure client.verifyMessage with verifySiweMessage to prevent cross-domain replay attacks. Added domain validation in both Backend and Express Server examples. Fixes #1502
---
 .../guides/authenticate-users.mdx             | 20 ++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/docs/base-account/guides/authenticate-users.mdx b/docs/base-account/guides/authenticate-users.mdx
index 7a8332200..54f9625eb 100644
--- a/docs/base-account/guides/authenticate-users.mdx
+++ b/docs/base-account/guides/authenticate-users.mdx
@@ -147,12 +147,19 @@ try {
 ```ts Backend (Viem)
 import { createPublicClient, http } from 'viem';
 import { base } from 'viem/chains';
+import { verifySiweMessage } from 'viem/siwe';
 
 const client = createPublicClient({ chain: base, transport: http() });
 
 export async function verifySig(req, res) {
   const { address, message, signature } = req.body;
-  const valid = await client.verifyMessage({ address, message, signature });
+const { isValid } = await verifySiweMessage(client, {
+  address,
+  message,
+  signature,
+  domain: req.headers.host ?? 'yourapp.com',
+});
+const valid = isValid;
   if (!valid) return res.status(401).json({ error: 'Invalid signature' });
   // create session / JWT
   res.json({ ok: true });
@@ -178,6 +185,7 @@ export async function verifySig(req, res) {
   regardless of where it originated.
 </Note>
 
+
 ### Example Express Server
 
 ```ts title="server/auth.ts" expandable
@@ -185,7 +193,7 @@ import crypto from "crypto";
 import express from "express";
 import { createPublicClient, http } from "viem";
 import { base } from "viem/chains";
-
+import { verifySiweMessage } from 'viem/siwe';
 const app = express();
 app.use(express.json());
 
@@ -210,7 +218,13 @@ app.post("/auth/verify", async (req, res) => {
   }
 
   // 2. Verify signature
-  const valid = await client.verifyMessage({ address, message, signature });
+ const { isValid } = await verifySiweMessage(client, {
+  address,
+  message,
+  signature,
+  domain: req.headers.host ?? 'yourapp.com',
+});
+const valid = isValid;
   if (!valid) return res.status(401).json({ error: "Invalid signature" });
 
   // 3. Create session / JWT here